IDS, or intrusion detection systems, can be very costly and resource demanding, because of this many medium and small companies never implements this types of solutions and as a consequence breaches caused by external threat actors to internal employees snooping around in systems will most likely never be discovered. And in the world of GDPR this might spell disaster for a company processing personal identifiable information, and according to GDPR that is more or less everything.
Canary tokens to the rescue.. (maybe)
Enter a free and easy to use tool called “Canary tokens” created by thinkst. Canary tokens will let you create free honeypots (or honey tokens) that will alert you by email when triggered. Now since this is a free and very basic tool it will not provide with much information on who actually triggered the token. It will give you the timestamp on when the token was accessed and source IP, but at least you know that someone is snooping around in your system, and you can take the appropriated actions to counter the breach.
The canary tokens website will let you generate multiple types of tokens, that should cover most of your needs;
- A URL an adversary might visit
- A domain or hostname an adversary might resolve
- A Word or PDF document an adversary might open
- A Bitcoin wallet from which an adversary might withdraw funds
So far I have just been playing around with the Word and PDF tokens and they have worked very well.
Of course as any other security tools and mitigations, advanced attackers can take steps that will void your canary tokens and prevent alerts from being triggered. But to be honest, if advanced hackers (e.g. state sponsored) have a foothold within your corporate network you will be very lucky if you noticed anything at all).
From the Canary Tokens blog – Why should I care
“Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well known security pros. This is (kinda) excusable. What isn’t excusable, is only finding out about it, months or years later.
Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)”
Simple field test
I decided to do a simple field test and posted a canary token PDF file named password.pdf on my test web server. It was not linked from any web pages, but fairly easy to find through directory indexing and traversal, so I did not put much effort into hiding it. After approx 1 hour I got an alert informing me that someone had tried to open my super duper secret file on my web server.
IMPORTANT – It will not prevent a breach.
It is important to note that canary tokens will not protect you from being hacked, but it will provide you with a simple tripwire that, when triggered, will alert that someone is accessing your data.